Overview

The "Quality Profiles" service is the nervous center of Sonar. It enables to define the various sets of source code requirements that should be used when measuring the quality of projects. It also enables to define acceptable thresholds on measures and to trigger alerts when they are reached.

A source code requirement is materialized by a coding rule in Sonar that is active, configured and has a severity. Here is an example : "A method must not have a complexity greater than 10!". Out of the box, Sonar embarks for the Java language several coding rules (requirements) engines : Checkstyle, PMD and Findbugs. Is also provides its own engine for advanced requirements. This represents more than 700 rules in total.

A quality profile is a set of source code requirements. Sonar enables to define several quality to fit various types of projects. Indeed, the requirements are usually not the same when starting to develop from scratch an application or when maintaining an application which is 10 years old, when developing a technical library or a web application. A quality profile is also a set of visual alerts on measures. Here is an example of alert : "Highlight the complexity by method measure in the project's dashboard when this complexity by method is greater than 3."

Here is the entry page of the "Quality Profiles" service :

The "Quality Profiles" service can be accessed by anonymous users but changes require to be logged in as an administrator.

Create a profile

To create a quality profile, click on "Create" button on the upper right and enter the name of the quality profile :

You can optionally provide some Checkstyle, PMD and Findbugs configuration files to fill the new quality profile with some existing rules configurations.

Copy a profile

In order to copy an existing quality profile, click on the "Copy" button next to the profile you want to copy. You are prompted to give the name of the new profile. The profile is the exact copy of the copied one. You can then make desired changes to the new quality profile.

Delete or rename a profile

Click on the "Delete" or "Rename" buttons : Deleting a quality profile, will delete the alerts defined in the profile and will remove the association with projects. If nothing else is done , Sonar will use the default profile to perform the next analysis on the (ex-)associated projects.

Icon

While it is possible to delete a custom quality profile, it is not possible to suppress the ones that ship with Sonar (Sun checks, Sonar way and Sonar way with Findbugs for Java for example).

Edit a profile

Configure rules

The rules configuration tab is the default page where you land when entering a profile. As there are numerous rules available, a very handy search engine is available in the rules configuration screen to filter only the one to configure :

A rule can be activated or deactivated in a single click. Its severity and configuration in the profile can be changed as soon as it is activated.

Some "Bulk Change" actions are also available to quickly activate or deactivate a set of rules. For instance, you can easily add all Findbugs rules to an existing quality profile by : selecting this profile, searching for Findbugs rules and launching "Activate all" action :

Icon

It is only possible to edit custom quality profiles. Quality profiles shipping with Sonar cannot be updated.

Icon

No extra validation action is required to make changes to the profile.

Multiple activations of a rule

Some rules can be activated multiple times in the same quality profile with different parameter's values. Checkstyle "Regexp Singleline" rule and PMD "XPath" rule are those kind of rules.

If a rule can be activated multiple times, a "Copy" button is available at the end of the rule description :

Clicking on the "Copy rule" button displays a form to define the new rule from the parent one :

Once the new rule has been created, it can be managed as any other rules :

Edit alerts

To manage alerts configuration, you should use the "Alerts" tab :;

From there it is possible to fully manage alerts, by adding new one, editing or deleting existing alerts. The principle is the following :

Choose the metric you are interested in

Choose an operator (is greater than, is less than)

Choose the value that will trigger a warning

Choose the value that will trigger an error

Any change to alerts will be used when the next analysis is performed

Profile Inheritance

Maintaining Quality Profiles can be tedious over time, especially where there are many. To ease maintenance of profiles, the ability of inheriting from a profile was added in Sonar 2.5. The principle is that for a custom profile, you can decide that it is going to have a parent profile by using the Profile Inheritance tab :

This means that the quality profile inherits all rules defined in the parent. This is shown visually in the rules configuration screen by a small blue marker next to the rule :

A rule inherited from a parent cannot be de-activated but it is possible to change its parameter(s) and / or is severity. As soon as one of those is changed, a red marker replaces the blue marker

Changes made to an inherited rule can be reverted by using the button "Revert to parent definition"

Icon

Alerts are not inherited from a parent profile

Extend rules description

Each rule comes with a description in Sonar, but it sometimes needs to be extended: insufficient description, internal description, note on activation of a rule in a profile... This is why Sonar enables to extend rules description in 2 ways:

First the ability to extend the description of a rule to give more details for example. This is going to be attached to the rule in every profile and will also be available when clicking on a violation:

But we have also added the ability to comment a rule in the context of a specific quality profile, to comment for example why it has been assigned a high priority or a special threshold :

Project association

To associate a project to a quality profile, you can use the "Projects" tab : The projects associated to a profile will appear in the right hand box. It is possible to move projects around by selecting them and use one of the 4 actions listed. A project can be associated to only one profile at the time. When a project is not explicitly associated to a quality profile, Sonar uses the default quality profile to perform the next analysis.

Backup/Restore profile

This backup/restore mechanism is useful for instance to promote a quality profile from a test environment to a production environment or to share quality profile with contractors.

Click on the "Backup" button to export an XML file :

To restore a quality profile, click on the "Restore profile" link on the upper right of the "Quality profiles" page, choose the XML file to restore and click on the "Restore profile" button :

Compare profiles

Since Sonar 2.8. It is possible to compare 2 quality profiles to understand the difference between them :

The comparison service shows all differences (rules in one profile but not in the other, parameters differences) and also identical ones :

Version Control

Every time a change is made to a quality profile, it is going to appear in the changes log

Rules extensions

Checkstyle and PMD provide extension mechanisms to develop custom coding rules. Tutorials to write such custom coding rules are available online for both Checkstyle and PMD. You can for instance define your own naming conventions, forbid access to a given API or anything else that is relevant in your context.

Once this is done, you must feed the Sonar web server with those coding rules extensions. Here are the process to follow for both Checkstyle and PMD coding rules.

Checkstyle

The Checkstyle coding rules must be packaged in a JAR file and this file must be copy in the $SONAR_HOME/extensions/rules/checkstyle/ directory.

A XML file must then be created in the same $SONAR_HOME/extensions/rules/checkstyle/ directory to "index" all available custom rules implemented in the JAR file. The name of this XML file doesn't matter but the .xml suffix must be used.

This XML file must look like the following example :

PMD

The PMD coding rules must be packaged in a JAR file and this file must be copy in the $SONAR_HOME/extensions/rules/pmd/ directory. Moreover, the JAR file must also contain the PMD ruleset XML file (in the following example, this XML file will be available through the classloader with the following path : rulesets/myruleset.xml)

A XML file must then be created in the same $SONAR_HOME/extensions/rules/pmd/ directory to "index" all available custom rules implemented in the JAR file. The name of this XML file doesn't matter but the .xml suffix must be used.